As the number of cloud users keeps growing, IT infrastructure security is among their top three concerns, while cloud cost optimization and lack of expertise/resources are the other two, according to Flexera 2023 State of the Cloud Report.
We’d like to share AWS cloud security best practices used at Apiko, based on over 8 years of experience and dozens of successful projects.
Cloud services: reasons for the growing popularity
According to SaaSworthy, 94% of companies report improvements in online security after migrating to the cloud. It’s largely due to monitoring, testing and alerting automation, as well as special mechanisms that, when configured appropriately, ensure data security and make the IT infrastructure resistant to cyber attacks.
Besides, using cloud services provides more flexibility compared to on-premises computing when it comes to
- data processing and AI implementation
- software scalability and maintenance
- adding new functionality and third-party integrations, and more.
Cloud-based infrastructure is also required for software transition to SaaS model, as it provides high availability due to workload distribution, and is easy to scale within a few minutes. SaaS data security and IT cost minimization are other crucial reasons for choosing the cloud.
You can find real-life examples with more details in our migrating to AWS cloud case study.
Managed cloud security services
As lack of expertise and resources is one of top three concerns of cloud users, managed security services are a real game saver.
Ensuring a safe environment is one of the competencies of Apiko DevOps services. Their initial IT infrastructure audit provides overall examination, including a summary about the security condition in general.
Regardless of the types of cloud architecture, for a thorough in-depth check we run an IT security audit. It is based on AWS security best practices, the main ones we’ll describe below.
AWS cloud security best practices
There are numerous factors that must be taken into account to secure IT infrastructure both on granular level and as a whole. That’s why our AWS security best practices checklist is rather broad.
Let’s take a closer look at what exactly stands behind these practices.
Identity and Access Management
IAM is the foundation for securing your AWS resources. It enables you to safely manage access permissions to AWS services and resources. Our key suggestions for IAM are to:
- Implement multi-factor authentication (MFA) for all IAM users and roles
- Grant the least privileged access to resources which is enough to complete user’s tasks and duties using IAM policies
- Delegate permissions to AWS services and applications using IAM roles
- Manage multiple AWS accounts and apply security policies across them using AWS Organizations.
Cloud data security
Data protection is essential for ensuring its confidentiality and integrity in AWS. Besides the preventative measures, it’s necessary to make sure that your data is backed up and you have a plan to recover from a disaster or a data loss event. To protect cloud data we suggest to:
- Limit access to sensitive data using access control
- Encrypt data at rest and in transit
- Create and control encryption keys using AWS Key Management Service (KMS)
- Manage Secure Socket Layer (SSL) and Transport Layer Security (TLS) certificates, and enable HTTPS for your web applications using AWS Certificate Manager
- Log API calls to AWS services with AWS CloudTrail
- Classify and label data to identify and protect sensitive data
- Set up data backup and recovery
- Back up your data regularly
- Test your backup and recovery procedures regularly
- Store your backups in a different region or account
- Use AWS disaster recovery services, such as AWS CloudEndure, to replicate your systems to another region or account
- Manage the lifecycle of your data with data retention policies.
Besides the above-mentioned practices, it’s necessary to pay special attention to Amazon S3 bucket (a highly scalable object storage service) and cloud database security.
Amazon S3 bucket security tips
- Grant the least privilege access to S3 buckets and objects using S3 bucket policies and IAM policies
- Protect your objects from accidental deletions or overwrites with S3 bucket versioning
- Protect data at rest using S3 server-side encryption (SSE)
- Manage the encryption keys for SSE with KMS
- Improve data transfer speed and reduce latency using S3 Transfer Acceleration
Cloud database security
There are numerous Amazon database services, and some of the most frequently used at Apiko include
- Amazon Relational Database Service (RDS)
- Amazon DocumentDB
- Amazon DynamoDB.
Besides, Amazon ElastiCache is a data store service that provides high-performance scalable caching for web applications. Our cloud data security best practices are the following:
- Use a private IP address for your DB instance
- Encrypt data in transit using SSL
- Control access to your instance or table/cluster using IAM
- Use automated data backups
- Encrypt your data at rest
- Control inbound and outbound traffic to your DB instance or ElastiCache cluster using Virtual Private Cloud (VPC) security groups
- Connect to DynamoDB securely with VPC endpoints
- Use Amazon CloudWatch to monitor your DynamoDB tables for suspicious activity
- Enable multi-region replication and disaster recovery with DynamoDB global tables
- Use SSL encryption for Amazon ElastiCache client connections.
Network security best practices
Network security is critical for protecting your AWS resources from external attacks. Below we’ll briefly describe some of the most useful cloud security technologies.
AWS Virtual Private Cloud (VPC) allows you to create an isolated virtual network in the cloud. Here are some key considerations for securing your VPC:
- Control access to resources and limit exposure to the public internet using VPC
- Isolate resources and reduce the attack surface with private subnets
- Filter traffic at the subnet level with Network Access Control Lists (NACLs)
- Filter traffic at the instance level using security groups
- Protect your resources from DDoS attacks with Amazon CloudFront, Amazon Route 53, and AWS Shield
- Encrypt data in transit using SSL/TLS
- Manage SSL/TLS certificates with AWS Certificate Manager
- Use HTTPS for web traffic and secure protocols for other types of traffic
- Access AWS services securely without exposing your traffic to the public internet with AWS PrivateLink
- Connect to your VPC securely with VPN or AWS Direct Connect.
AWS Web Application Firewall (WAF) protects your web applications from common web threats, e.g. SQL injection and cross-site scripting (XSS) attacks. It also secures APIs from exploits, such as distributed denial of service (DDoS) attacks and bad bots, and blocks traffic from known malicious IP addresses and botnets.
AWS Shield is a managed service that helps protect your applications from DDoS attacks. AWS Shield Advanced provides additional DDoS protection and offers AWS DDoS Response Team support during a DDoS attack.
Logging and monitoring
It’s essential to detect and respond to security incidents in AWS. That’s where logging and monitoring come in handy, allowing to
- Log API calls to AWS services using AWS CloudTrail
- Monitor AWS resources and applications with Amazon CloudWatch
- Monitor and manage compliance with AWS resources using AWS Config
- Aggregate and analyze security alerts with AWS Security Hub
- Detect and prevent security threats using Amazon GuardDuty.
Application security in the cloud
When you host your application in the cloud, it’s necessary to protect its users and data. Here are the basic security measures we use at Apiko and suggest you to follow.
- Use strong authentication and authorization mechanisms
- Secure user accounts with strong passwords and multi-factor authentication.
- Implement OAuth or OpenID Connect for third-party authentication.
-
Enable HTTPS and HSTS
- Encrypt all communication between the client and server using HTTPS.
- Prevent downgrade attacks with HTTP Strict Transport Security (HSTS).
-
Protect against cross-site scripting (XSS) and SQL injection attacks
- Sanitize user inputs to prevent XSS attacks.
- Use parameterized queries to prevent SQL injection attacks.
-
Implement rate limiting
- Implement rate limits to prevent brute force attacks and Denial of Service (DoS) attacks.
- Set up rate limiting for your RESTful APIs using Amazon API Gateway, so that the number of requests per second cannot exceed a certain limit, and once it does, an error occurs.
-
Secure your sessions
- Prevent session hijacking with secure cookies.
- Use HTTPS for session management.
- Store sessions securely using AWS ElastiCache.
-
Implement CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) for user submits
-
Implement CAPTCHA to prevent automated attacks and account creation.
-
Set up CAPTCHA for serverless architectures using AWS Lambda.
-
Conclusion
It’s a good idea to implement security measures starting from the initial steps of application development. You can also always use the AWS security best practices checklist provided in this article to double check if your cloud network, resources and application are protected.
Do not hesitate to contact Apiko if you feel like you could use a hand. We’ll make sure you stay up-to-date with the latest security practices, and we’ll provide a regular audit of your security policies and techniques so your application remains secure.